From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
P J P <ppandit@redhat.com>
Subject: [Qemu-devel] [PATCH 28/56] vmsvga: shadow fifo registers
Date: Mon, 8 Aug 2016 16:03:59 -0500 [thread overview]
Message-ID: <1470690267-31454-29-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1470690267-31454-1-git-send-email-mdroth@linux.vnet.ibm.com>
From: Gerd Hoffmann <kraxel@redhat.com>
The fifo is normal ram. So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization. Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us. So add shadows for them, to
make sure the guest can't modify them after we've applied sanity
checks.
Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++-------------------------
1 file changed, 28 insertions(+), 29 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index a26e62e..de2567b 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -66,17 +66,11 @@ struct vmsvga_state_s {
uint8_t *fifo_ptr;
unsigned int fifo_size;
- union {
- uint32_t *fifo;
- struct QEMU_PACKED {
- uint32_t min;
- uint32_t max;
- uint32_t next_cmd;
- uint32_t stop;
- /* Add registers here when adding capabilities. */
- uint32_t fifo[0];
- } *cmd;
- };
+ uint32_t *fifo;
+ uint32_t fifo_min;
+ uint32_t fifo_max;
+ uint32_t fifo_next;
+ uint32_t fifo_stop;
#define REDRAW_FIFO_LEN 512
struct vmsvga_rect_s {
@@ -198,7 +192,7 @@ enum {
*/
SVGA_FIFO_MIN = 0,
SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */
- SVGA_FIFO_NEXT_CMD,
+ SVGA_FIFO_NEXT,
SVGA_FIFO_STOP,
/*
@@ -546,8 +540,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
}
#endif
-#define CMD(f) le32_to_cpu(s->cmd->f)
-
static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
{
int num;
@@ -556,38 +548,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
return 0;
}
+ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
+ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
+ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
+ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
+
/* Check range and alignment. */
- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
+ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
return 0;
}
- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
+ if (s->fifo_min < sizeof(uint32_t) * 4) {
return 0;
}
- if (CMD(max) > SVGA_FIFO_SIZE ||
- CMD(min) >= SVGA_FIFO_SIZE ||
- CMD(stop) >= SVGA_FIFO_SIZE ||
- CMD(next_cmd) >= SVGA_FIFO_SIZE) {
+ if (s->fifo_max > SVGA_FIFO_SIZE ||
+ s->fifo_min >= SVGA_FIFO_SIZE ||
+ s->fifo_stop >= SVGA_FIFO_SIZE ||
+ s->fifo_next >= SVGA_FIFO_SIZE) {
return 0;
}
- if (CMD(max) < CMD(min) + 10 * 1024) {
+ if (s->fifo_max < s->fifo_min + 10 * 1024) {
return 0;
}
- num = CMD(next_cmd) - CMD(stop);
+ num = s->fifo_next - s->fifo_stop;
if (num < 0) {
- num += CMD(max) - CMD(min);
+ num += s->fifo_max - s->fifo_min;
}
return num >> 2;
}
static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
{
- uint32_t cmd = s->fifo[CMD(stop) >> 2];
+ uint32_t cmd = s->fifo[s->fifo_stop >> 2];
- s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
- if (CMD(stop) >= CMD(max)) {
- s->cmd->stop = s->cmd->min;
+ s->fifo_stop += 4;
+ if (s->fifo_stop >= s->fifo_max) {
+ s->fifo_stop = s->fifo_min;
}
+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
return cmd;
}
@@ -607,7 +605,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
len = vmsvga_fifo_length(s);
while (len > 0) {
/* May need to go back to the start of the command if incomplete */
- cmd_start = s->cmd->stop;
+ cmd_start = s->fifo_stop;
switch (cmd = vmsvga_fifo_read(s)) {
case SVGA_CMD_UPDATE:
@@ -766,7 +764,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
break;
rewind:
- s->cmd->stop = cmd_start;
+ s->fifo_stop = cmd_start;
+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
break;
}
}
--
1.9.1
next prev parent reply other threads:[~2016-08-08 21:05 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-08 21:03 [Qemu-devel] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12 Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 01/56] i386: kvmvapic: initialise imm32 variable Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 02/56] spice/gl: add & use qemu_spice_gl_monitor_config Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 03/56] vl: change runstate only if new state is different from current state Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 04/56] tools: kvm_stat: Powerpc related fixes Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 05/56] exec.c: Ensure right alignment also for file backed ram Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 06/56] usb:xhci: no DMA on HC reset Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 07/56] target-mips: fix call to memset in soft reset code Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 08/56] target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2 Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 09/56] configure: Allow builds with extra warnings Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 10/56] migration: regain control of images when migration fails to complete Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 11/56] json-streamer: Don't leak tokens on incomplete parse Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 12/56] json-streamer: fix double-free on exiting during a parse Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 13/56] esp: check command buffer length before write(CVE-2016-4439) Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 14/56] esp: check dma length before reading scsi command(CVE-2016-4441) Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 15/56] block/nfs: refuse readahead if cache.direct is on Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 16/56] usb/ohci: Fix crash with when specifying too many num-ports Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 17/56] vga: add sr_vbe register set Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 18/56] vfio: Fix broken EEH Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 19/56] block/iscsi: avoid potential overflow of acb->task->cdb Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 20/56] nbd: Don't trim unrequested bytes Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 21/56] savevm: fail if migration blockers are present Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 22/56] Fix configure test for PBKDF2 in nettle Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 23/56] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952) Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 24/56] scsi: mptsas: infinite loop while fetching requests Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 25/56] block: Drop bdrv_ioctl_bh_cb Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 26/56] vmsvga: move fifo sanity checks to vmsvga_fifo_length Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 27/56] vmsvga: add more fifo checks Michael Roth
2016-08-08 21:03 ` Michael Roth [this message]
2016-08-08 21:04 ` [Qemu-devel] [PATCH 29/56] vmsvga: don't process more than 1024 fifo commands at once Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 30/56] io: remove mistaken call to object_ref on QTask Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 31/56] ui: fix regression in printing VNC host/port on startup Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 32/56] net: fix qemu_announce_self not emitting packets Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 33/56] backup: Don't leak BackupBlockJob in error path Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 34/56] qcow2: Avoid making the L1 table too big Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 35/56] qapi: Fix crash on missing alternate member of QAPI struct Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 36/56] pci-assign: Move "Invalid ROM" error message to pci-assign-load-rom.c Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 37/56] vfio/pci: Fix VGA quirks Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 38/56] nbd: Allow larger requests Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 39/56] scsi-generic: Merge block max xfer len in INQUIRY response Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 40/56] scsi: Advertise limits by blocksize, not 512 Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 41/56] target-sparc: fix register corruption in ldstub if there is no write permission Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 42/56] virtio: set low features early on load Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 43/56] Revert "virtio-net: unbreak self announcement and guest offloads after migration" Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 44/56] s390x/ipl: fix reboots for migration from different bios Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 45/56] blockdev: Fix regression with the default naming of throttling groups Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 46/56] qemu-iotests: Test " Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 47/56] util: Fix MIN_NON_ZERO Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 48/56] block/iscsi: fix rounding in iscsi_allocationmap_set Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 49/56] Fix some typos found by codespell Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 50/56] nbd: More debug typo fixes, use correct formats Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 51/56] nbd: Don't use *_to_cpup() functions Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 52/56] nbd: Limit nbdflags to 16 bits Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 53/56] pcie: fix link active status bit migration Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 54/56] target-i386: fix typo in xsetbv implementation Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 55/56] virtio: error out if guest exceeds virtqueue size Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 56/56] ide: fix halted IO segfault at reset Michael Roth
2016-08-09 18:34 ` John Snow
2016-08-08 23:40 ` [Qemu-devel] [Qemu-stable] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12 Cole Robinson
2016-08-09 20:04 ` Michael Roth
2016-08-13 1:43 ` Gonglei
2016-08-09 20:12 ` [Qemu-devel] " Bruce Rogers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1470690267-31454-29-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=kraxel@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).